Closed Bug 1451936 Opened 3 years ago Closed 2 years ago

Heap corruption on allocator mismatch in SignFile()

Categories

(NSS :: Tools, enhancement)

3.34.1
enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mozillabugs, Assigned: Alex_Gaynor)

Details

Attachments

(1 file)

SignFile() (security\nss\cmd\pk1sign\pk1sign.c) uses PORT_Free() to free memory allocated by PL_Base64Encode(). But PL_Base64Encode() allocates that memory using PR_MALLOC(), which uses a different heap from the one PORT_FREE() uses. This usage will corrupt both heaps.

(Note that, e.g., ExportPublicKey() properly uses PR_Free() to free similar memory).

I guess that this bug doesn't actually cause any problem, since the program exits shortly after calling SignFile(). Still, this bug should be fixed to avoid problems in case someone clones SignFile() into a more-sensitive location, such as inside FF.

The bug is on line 181:

101: static int
102: SignFile(FILE *outFile, PRFileDesc *inFile, CERTCertificate *cert)
103: {
104:     SECItem data2sign;
105:     SECStatus rv;
106:     SECOidTag algID;
107:     CERTSignedData sd;
108:     SECKEYPrivateKey *privKey = NULL;
109:     char *data = NULL;
...
165:     data = PL_Base64Encode((const char *)result->data, result->len, NULL);
166:     if (!data) {
167:         returnValue = -1;
168:         goto loser;
169:     }
170: 
171:     fputs("signature:\n", outFile);
172:     fputs(data, outFile);
173:     fputs("\n", outFile);
174:     ExportPublicKey(outFile, cert);
175: 
176: loser:
177:     if (privKey) {
178:         SECKEY_DestroyPrivateKey(privKey);
179:     }
180:     if (data) {
181:         PORT_Free(data);
182:     }
183:     PORT_FreeArena(arena, PR_FALSE);
184: 
185:     return returnValue;
186: }
Assignee: nobody → agaynor
Comment on attachment 8984231 [details]
Bug 1451936 - use the correct free function in SignFile; r?fkiefer

Franziskus Kiefer [:fkiefer or :franziskus] has approved the revision.

https://phabricator.services.mozilla.com/D1583
Attachment #8984231 - Flags: review+
https://hg.mozilla.org/projects/nss/rev/30a4b03cd9d10eaf9dfb4799af41879e0bfac04f
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.38
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.